Re: svn commit: r337925 - in head: lib/libc/sys sys/compat/freebsd32 sys/kern sys/sys

[James Gritton]

OK, so noted.  But seeing as I've already done the partial in this case, 
what's best to do now?  Should I add another commit to revert the so-far 
unreverted files?

- Jamie

On 2018-08-16 13:27, Rodney W. Grimes wrote:
Author: jamie
Date: Thu Aug 16 19:09:43 2018
New Revision: 337925
URL: https://svnweb.freebsd.org/changeset/base/337925

Log:
  Revert r337922, except for some documention-only bits.  This needs 
to wait
  until user is changed to stop using jail(2).

Can we please stop doing "partial" reverts, it makes log
tracking and sorting out stuff later more difficult.

If something is seperable and needs to stay it is best
to revert the whole commit, and then commit with a proper
log exactly what it is that you did not want to revert.


  Differential Revision:        D14791

Modified:
  head/lib/libc/sys/jail.2
  head/sys/compat/freebsd32/freebsd32_misc.c
  head/sys/compat/freebsd32/freebsd32_proto.h
  head/sys/compat/freebsd32/freebsd32_syscall.h
  head/sys/compat/freebsd32/freebsd32_syscalls.c
  head/sys/compat/freebsd32/freebsd32_sysent.c
  head/sys/compat/freebsd32/freebsd32_systrace_args.c
  head/sys/compat/freebsd32/syscalls.master
  head/sys/kern/init_sysent.c
  head/sys/kern/kern_jail.c
  head/sys/kern/syscalls.c
  head/sys/kern/syscalls.master
  head/sys/kern/systrace_args.c
  head/sys/sys/jail.h
  head/sys/sys/syscall.h
  head/sys/sys/syscall.mk
  head/sys/sys/syscallsubr.h
  head/sys/sys/sysproto.h

Modified: head/lib/libc/sys/jail.2
==============================================================================
--- head/lib/libc/sys/jail.2    Thu Aug 16 18:58:34 2018        (r337924)
+++ head/lib/libc/sys/jail.2    Thu Aug 16 19:09:43 2018        (r337925)
@@ -25,10 +25,11 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd August 16, 2018
+.Dd February 8, 2012
 .Dt JAIL 2
 .Os
 .Sh NAME
+.Nm jail ,
 .Nm jail_get ,
 .Nm jail_set ,
 .Nm jail_remove ,
@@ -40,6 +41,8 @@
 .In sys/param.h
 .In sys/jail.h
 .Ft int
+.Fn jail "struct jail *jail"
+.Ft int
 .Fn jail_attach "int jid"
 .Ft int
 .Fn jail_remove "int jid"
@@ -50,7 +53,74 @@
 .Fn jail_set "struct iovec *iov" "u_int niov" "int flags"
 .Sh DESCRIPTION
 The
+.Fn jail
+system call sets up a jail and locks the current process in it.
+.Pp
+The argument is a pointer to a structure describing the prison:
+.Bd -literal -offset indent
+struct jail {
+       uint32_t        version;
+       char            *path;
+       char            *hostname;
+       char            *jailname;
+       unsigned int    ip4s;
+       unsigned int    ip6s;
+       struct in_addr  *ip4;
+       struct in6_addr *ip6;
+};
+.Ed
+.Pp
+.Dq Li version
+defines the version of the API in use.
+.Dv JAIL_API_VERSION
+is defined for the current version.
+.Pp
+The
+.Dq Li path
+pointer should be set to the directory which is to be the root of the
+prison.
+.Pp
+The
+.Dq Li hostname
+pointer can be set to the hostname of the prison.
+This can be changed
+from the inside of the prison.
+.Pp
+The
+.Dq Li jailname
+pointer is an optional name that can be assigned to the jail
+for example for management purposes.
+.Pp
+The
+.Dq Li ip4s
+and
+.Dq Li ip6s
+give the numbers of IPv4 and IPv6 addresses that will be passed
+via their respective pointers.
+.Pp
+The
+.Dq Li ip4
+and
+.Dq Li ip6
+pointers can be set to an arrays of IPv4 and IPv6 addresses to be 
assigned to
+the prison, or NULL if none.
+IPv4 addresses must be in network byte order.
+.Pp
+This is equivalent to, and deprecated in favor of, the
 .Fn jail_set
+system call (see below), with the parameters
+.Va path ,
+.Va host.hostname ,
+.Va name ,
+.Va ip4.addr ,
+and
+.Va ip6.addr ,
+and with the
+.Dv JAIL_ATTACH
+flag.
+.Pp
+The
+.Fn jail_set
 system call creates a new jail, or modifies an existing one, and 
optionally
 locks the current process in it.
 Jail parameters are passed as an array of name-value pairs in the 
array
@@ -76,19 +146,13 @@ The current set of available parameters, and 
their for
 retrieved via the
 .Va security.jail.param
 sysctl MIB entry.
-Notable parameters include
+Notable parameters include those mentioned in the
+.Fn jail
+description above, as well as
 .Va jid
 and
-.Va name
-which identify the jail being created or modified,
-.Va path
-(the root directory of the jail),
-.Va host.hostname
-(the hostname of the jail), and
-.Va ip4.addr
-and
-.Va ip6.addr
-(IP addresses to assign to the jail).
+.Va name ,
+which identify the jail being created or modified.
 See
 .Xr jail 8
 for more information on the core jail parameters.
@@ -173,7 +237,8 @@ It will kill all processes belonging to the jail, 
and
 of that jail.
 .Sh RETURN VALUES
 If successful,
-.Fn jail_set
+.Fn jail ,
+.Fn jail_set ,
 and
 .Fn jail_get
 return a non-negative integer, termed the jail identifier (JID).
@@ -184,6 +249,25 @@ to indicate the error.
 .Rv -std jail_attach jail_remove
 .Sh ERRORS
 The
+.Fn jail
+system call
+will fail if:
+.Bl -tag -width Er
+.It Bq Er EPERM
+This process is not allowed to create a jail, either because it is 
not
+the super-user, or because it would exceed the jail's
+.Va children.max
+limit.
+.It Bq Er EFAULT
+.Fa jail
+points to an address outside the allocated address space of the 
process.
+.It Bq Er EINVAL
+The version number of the argument is not correct.
+.It Bq Er EAGAIN
+No free JID could be found.
+.El
+.Pp
+The
 .Fn jail_set
 system call
 will fail if:
@@ -287,7 +371,8 @@ does not exist.
 .El
 .Pp
 Further
-.Fn jail_set
+.Fn jail ,
+.Fn jail_set ,
 and
 .Fn jail_attach
 call
@@ -301,7 +386,7 @@ manual page for details.
 .Xr chroot 2 ,
 .Xr jail 8
 .Sh HISTORY
-The now-deprecated
+The
 .Fn jail
 system call appeared in
 .Fx 4.0 .

Modified: head/sys/compat/freebsd32/freebsd32_misc.c
==============================================================================
--- head/sys/compat/freebsd32/freebsd32_misc.c	Thu Aug 16 18:58:34 
2018	(r337924)
+++ head/sys/compat/freebsd32/freebsd32_misc.c	Thu Aug 16 19:09:43 
2018	(r337925)
@@ -2289,10 +2289,8 @@ freebsd32_sysctl(struct thread *td, struct 
freebsd32_s
        return (0);
 }

-#ifdef COMPAT_FREEBSD11
 int
-freebsd11_freebsd32_jail(struct thread *td,
-    struct freebsd11_freebsd32_jail_args *uap)
+freebsd32_jail(struct thread *td, struct freebsd32_jail_args *uap)
 {
        uint32_t version;
        int error;
@@ -2349,9 +2347,8 @@ freebsd11_freebsd32_jail(struct thread *td,
                /* Sci-Fi jails are not supported, sorry. */
                return (EINVAL);
        }
-       return (freebsd11_kern_jail(td, &j));
+       return (kern_jail(td, &j));
 }
-#endif /* COMPAT_FREEBSD11 */

 int
 freebsd32_jail_set(struct thread *td, struct freebsd32_jail_set_args 
*uap)

Modified: head/sys/compat/freebsd32/freebsd32_proto.h
==============================================================================
--- head/sys/compat/freebsd32/freebsd32_proto.h	Thu Aug 16 18:58:34 
2018	(r337924)
+++ head/sys/compat/freebsd32/freebsd32_proto.h	Thu Aug 16 19:09:43 
2018	(r337925)
@@ -283,6 +283,9 @@ struct freebsd32_sched_rr_get_interval_args {
        char pid_l_[PADL_(pid_t)]; pid_t pid; char pid_r_[PADR_(pid_t)];
 	char interval_l_[PADL_(struct timespec32 *)]; struct timespec32 * 
interval; char interval_r_[PADR_(struct timespec32 *)];
 };
+struct freebsd32_jail_args {
+	char jail_l_[PADL_(struct jail32 *)]; struct jail32 * jail; char 
jail_r_[PADR_(struct jail32 *)];
+};
 struct freebsd32_sigtimedwait_args {
 	char set_l_[PADL_(const sigset_t *)]; const sigset_t * set; char 
set_r_[PADR_(const sigset_t *)];
 	char info_l_[PADL_(siginfo_t *)]; siginfo_t * info; char 
info_r_[PADR_(siginfo_t *)];
@@ -758,6 +761,7 @@ int	freebsd32_aio_return(struct thread *, struct 
freeb
 int	freebsd32_aio_suspend(struct thread *, struct 
freebsd32_aio_suspend_args *);
 int	freebsd32_aio_error(struct thread *, struct 
freebsd32_aio_error_args *);
 int	freebsd32_sched_rr_get_interval(struct thread *, struct 
freebsd32_sched_rr_get_interval_args *);
+int    freebsd32_jail(struct thread *, struct freebsd32_jail_args *);
 int	freebsd32_sigtimedwait(struct thread *, struct 
freebsd32_sigtimedwait_args *);
 int	freebsd32_sigwaitinfo(struct thread *, struct 
freebsd32_sigwaitinfo_args *);
 int	freebsd32_aio_waitcomplete(struct thread *, struct 
freebsd32_aio_waitcomplete_args *);
@@ -1180,9 +1184,6 @@ struct freebsd11_freebsd32_fhstat_args {
 	char u_fhp_l_[PADL_(const struct fhandle *)]; const struct fhandle * 
u_fhp; char u_fhp_r_[PADR_(const struct fhandle *)];
 	char sb_l_[PADL_(struct freebsd11_stat32 *)]; struct 
freebsd11_stat32 * sb; char sb_r_[PADR_(struct freebsd11_stat32 *)];
 };
-struct freebsd11_freebsd32_jail_args {
-	char jail_l_[PADL_(struct jail32 *)]; struct jail32 * jail; char 
jail_r_[PADR_(struct jail32 *)];
-};
 struct freebsd11_freebsd32_kevent_args {
        char fd_l_[PADL_(int)]; int fd; char fd_r_[PADR_(int)];
 	char changelist_l_[PADL_(const struct kevent32_freebsd11 *)]; const 
struct kevent32_freebsd11 * changelist; char changelist_r_[PADR_(const 
struct kevent32_freebsd11 *)];
@@ -1222,7 +1223,6 @@ int	freebsd11_freebsd32_lstat(struct thread *, 
struct
 int	freebsd11_freebsd32_getdirentries(struct thread *, struct 
freebsd11_freebsd32_getdirentries_args *);
 int	freebsd11_freebsd32_getdents(struct thread *, struct 
freebsd11_freebsd32_getdents_args *);
 int	freebsd11_freebsd32_fhstat(struct thread *, struct 
freebsd11_freebsd32_fhstat_args *);
-int	freebsd11_freebsd32_jail(struct thread *, struct 
freebsd11_freebsd32_jail_args *);
 int	freebsd11_freebsd32_kevent(struct thread *, struct 
freebsd11_freebsd32_kevent_args *);
 int	freebsd11_freebsd32_fstatat(struct thread *, struct 
freebsd11_freebsd32_fstatat_args *);
 int	freebsd11_freebsd32_mknodat(struct thread *, struct 
freebsd11_freebsd32_mknodat_args *);
@@ -1317,7 +1317,7 @@ int	freebsd11_freebsd32_mknodat(struct thread *, 
struc
 
#define	FREEBSD32_SYS_AUE_freebsd6_freebsd32_lio_listio	AUE_LIO_LISTIO
 #define        FREEBSD32_SYS_AUE_freebsd32_sched_rr_get_interval       AUE_NULL
 #define        FREEBSD32_SYS_AUE_freebsd4_freebsd32_sendfile   AUE_SENDFILE
-#define        FREEBSD32_SYS_AUE_freebsd11_freebsd32_jail      AUE_JAIL
+#define        FREEBSD32_SYS_AUE_freebsd32_jail        AUE_JAIL
 #define        FREEBSD32_SYS_AUE_freebsd4_freebsd32_sigaction  AUE_SIGACTION
 #define        FREEBSD32_SYS_AUE_freebsd4_freebsd32_sigreturn  AUE_SIGRETURN
 #define        FREEBSD32_SYS_AUE_freebsd32_sigtimedwait        AUE_SIGWAIT

Modified: head/sys/compat/freebsd32/freebsd32_syscall.h
==============================================================================
--- head/sys/compat/freebsd32/freebsd32_syscall.h	Thu Aug 16 18:58:34 
2018	(r337924)
+++ head/sys/compat/freebsd32/freebsd32_syscall.h	Thu Aug 16 19:09:43 
2018	(r337925)
@@ -275,7 +275,7 @@
 #define        FREEBSD32_SYS_utrace    335
                                /* 336 is freebsd4 freebsd32_sendfile */
 #define        FREEBSD32_SYS_kldsym    337
-#define        FREEBSD32_SYS_freebsd11_freebsd32_jail  338
+#define        FREEBSD32_SYS_freebsd32_jail    338
 #define        FREEBSD32_SYS_sigprocmask       340
 #define        FREEBSD32_SYS_sigsuspend        341
                                /* 342 is freebsd4 freebsd32_sigaction */

Modified: head/sys/compat/freebsd32/freebsd32_syscalls.c
==============================================================================
--- head/sys/compat/freebsd32/freebsd32_syscalls.c	Thu Aug 16 18:58:34 
2018	(r337924)
+++ head/sys/compat/freebsd32/freebsd32_syscalls.c	Thu Aug 16 19:09:43 
2018	(r337925)
@@ -347,7 +347,7 @@ const char *freebsd32_syscallnames[] = {
        "utrace",                     /* 335 = utrace */
 	"compat4.freebsd32_sendfile",		/* 336 = freebsd4 freebsd32_sendfile 
*/
        "kldsym",                     /* 337 = kldsym */
-       "compat11.freebsd32_jail",            /* 338 = freebsd11 freebsd32_jail 
*/
+       "freebsd32_jail",                     /* 338 = freebsd32_jail */
        "#339",                       /* 339 = pioctl */
        "sigprocmask",                        /* 340 = sigprocmask */
        "sigsuspend",                 /* 341 = sigsuspend */

Modified: head/sys/compat/freebsd32/freebsd32_sysent.c
==============================================================================
--- head/sys/compat/freebsd32/freebsd32_sysent.c	Thu Aug 16 18:58:34 
2018	(r337924)
+++ head/sys/compat/freebsd32/freebsd32_sysent.c	Thu Aug 16 19:09:43 
2018	(r337925)
@@ -394,7 +394,7 @@ struct sysent freebsd32_sysent[] = {
 	{ AS(utrace_args), (sy_call_t *)sys_utrace, AUE_NULL, NULL, 0, 0, 
SYF_CAPENABLED, SY_THR_STATIC },	/* 335 = utrace */
 	{ compat4(AS(freebsd4_freebsd32_sendfile_args),freebsd32_sendfile), 
AUE_SENDFILE, NULL, 0, 0, SYF_CAPENABLED, SY_THR_STATIC },	/* 336 = 
freebsd4 freebsd32_sendfile */
 	{ AS(kldsym_args), (sy_call_t *)sys_kldsym, AUE_NULL, NULL, 0, 0, 0, 
SY_THR_STATIC },	/* 337 = kldsym */
-	{ compat11(AS(freebsd11_freebsd32_jail_args),freebsd32_jail), 
AUE_JAIL, NULL, 0, 0, 0, SY_THR_STATIC },	/* 338 = freebsd11 
freebsd32_jail */
+	{ AS(freebsd32_jail_args), (sy_call_t *)freebsd32_jail, AUE_JAIL, 
NULL, 0, 0, 0, SY_THR_STATIC },	/* 338 = freebsd32_jail */
 	{ 0, (sy_call_t *)nosys, AUE_NULL, NULL, 0, 0, 0, SY_THR_ABSENT 
},			/* 339 = pioctl */
 	{ AS(sigprocmask_args), (sy_call_t *)sys_sigprocmask, 
AUE_SIGPROCMASK, NULL, 0, 0, SYF_CAPENABLED, SY_THR_STATIC },	/* 340 = 
sigprocmask */
 	{ AS(sigsuspend_args), (sy_call_t *)sys_sigsuspend, AUE_SIGSUSPEND, 
NULL, 0, 0, SYF_CAPENABLED, SY_THR_STATIC },	/* 341 = sigsuspend */

Modified: head/sys/compat/freebsd32/freebsd32_systrace_args.c
==============================================================================
--- head/sys/compat/freebsd32/freebsd32_systrace_args.c	Thu Aug 16 
18:58:34 2018	(r337924)
+++ head/sys/compat/freebsd32/freebsd32_systrace_args.c	Thu Aug 16 
19:09:43 2018	(r337925)
@@ -1559,6 +1559,13 @@ systrace_args(int sysnum, void *params, 
uint64_t *uarg
                *n_args = 3;
                break;
        }
+       /* freebsd32_jail */
+       case 338: {
+               struct freebsd32_jail_args *p = params;
+               uarg[0] = (intptr_t) p->jail; /* struct jail32 * */
+               *n_args = 1;
+               break;
+       }
        /* sigprocmask */
        case 340: {
                struct sigprocmask_args *p = params;
@@ -5704,6 +5711,16 @@ systrace_entry_setargdesc(int sysnum, int ndx, 
char *d
                        break;
                };
                break;
+       /* freebsd32_jail */
+       case 338:
+               switch(ndx) {
+               case 0:
+                       p = "userland struct jail32 *";
+                       break;
+               default:
+                       break;
+               };
+               break;
        /* sigprocmask */
        case 340:
                switch(ndx) {
@@ -9653,6 +9670,11 @@ systrace_return_setargdesc(int sysnum, int ndx, 
char *
                break;
        /* kldsym */
        case 337:
+               if (ndx == 0 || ndx == 1)
+                       p = "int";
+               break;
+       /* freebsd32_jail */
+       case 338:
                if (ndx == 0 || ndx == 1)
                        p = "int";
                break;

Modified: head/sys/compat/freebsd32/syscalls.master
==============================================================================
--- head/sys/compat/freebsd32/syscalls.master	Thu Aug 16 18:58:34 
2018	(r337924)
+++ head/sys/compat/freebsd32/syscalls.master	Thu Aug 16 19:09:43 
2018	(r337925)
@@ -601,7 +601,7 @@
                                    off_t *sbytes, int flags); }
 337    AUE_NULL        NOPROTO { int kldsym(int fileid, int cmd, \
                                    void *data); }
-338    AUE_JAIL        COMPAT11 { int freebsd32_jail(struct jail32 *jail); }
+338    AUE_JAIL        STD     { int freebsd32_jail(struct jail32 *jail); }
 339    AUE_NULL        UNIMPL  pioctl
 340    AUE_SIGPROCMASK NOPROTO { int sigprocmask(int how, \
                                    const sigset_t *set, sigset_t *oset); }

Modified: head/sys/kern/init_sysent.c
==============================================================================
--- head/sys/kern/init_sysent.c Thu Aug 16 18:58:34 2018        (r337924)
+++ head/sys/kern/init_sysent.c Thu Aug 16 19:09:43 2018        (r337925)
@@ -387,7 +387,7 @@ struct sysent sysent[] = {
 	{ AS(utrace_args), (sy_call_t *)sys_utrace, AUE_NULL, NULL, 0, 0, 
SYF_CAPENABLED, SY_THR_STATIC },	/* 335 = utrace */
 	{ compat4(AS(freebsd4_sendfile_args),sendfile), AUE_SENDFILE, NULL, 
0, 0, SYF_CAPENABLED, SY_THR_STATIC },	/* 336 = freebsd4 sendfile */
 	{ AS(kldsym_args), (sy_call_t *)sys_kldsym, AUE_NULL, NULL, 0, 0, 0, 
SY_THR_STATIC },	/* 337 = kldsym */
-	{ compat11(AS(freebsd11_jail_args),jail), AUE_JAIL, NULL, 0, 0, 0, 
SY_THR_STATIC },	/* 338 = freebsd11 jail */
+	{ AS(jail_args), (sy_call_t *)sys_jail, AUE_JAIL, NULL, 0, 0, 0, 
SY_THR_STATIC },	/* 338 = jail */
 	{ AS(nnpfs_syscall_args), (sy_call_t *)lkmressys, AUE_NULL, NULL, 0, 
0, 0, SY_THR_ABSENT },	/* 339 = nnpfs_syscall */
 	{ AS(sigprocmask_args), (sy_call_t *)sys_sigprocmask, 
AUE_SIGPROCMASK, NULL, 0, 0, SYF_CAPENABLED, SY_THR_STATIC },	/* 340 = 
sigprocmask */
 	{ AS(sigsuspend_args), (sy_call_t *)sys_sigsuspend, AUE_SIGSUSPEND, 
NULL, 0, 0, SYF_CAPENABLED, SY_THR_STATIC },	/* 341 = sigsuspend */

Modified: head/sys/kern/kern_jail.c
==============================================================================
--- head/sys/kern/kern_jail.c   Thu Aug 16 18:58:34 2018        (r337924)
+++ head/sys/kern/kern_jail.c   Thu Aug 16 19:09:43 2018        (r337925)
@@ -74,14 +74,6 @@ __FBSDID("$FreeBSD$");

 #include <security/mac/mac_framework.h>

-/*
- * The old jail(2) interface will exist under COMPAT_FREEBSD11, but 
the global
- * permission sysctls are slated to go away sometime (even with 
COMPAT).
- */
-#if defined(COMPAT_FREEBSD11) && !defined(BURN_BRIDGES)
-#define PR_GLOBAL_ALLOW
-#endif
-
 #define        DEFAULT_HOSTUUID        "00000000-0000-0000-0000-000000000000"

 MALLOC_DEFINE(M_PRISON, "prison", "Prison structures");
@@ -207,11 +199,9 @@ const size_t pr_flag_allow_size = 
sizeof(pr_flag_allow
 #define	JAIL_DEFAULT_ALLOW		(PR_ALLOW_SET_HOSTNAME | 
PR_ALLOW_RESERVED_PORTS)
 #define        JAIL_DEFAULT_ENFORCE_STATFS     2
 #define        JAIL_DEFAULT_DEVFS_RSNUM        0
-#ifdef PR_GLOBAL_ALLOW
 static unsigned jail_default_allow = JAIL_DEFAULT_ALLOW;
 static int jail_default_enforce_statfs = JAIL_DEFAULT_ENFORCE_STATFS;
 static int jail_default_devfs_rsnum = JAIL_DEFAULT_DEVFS_RSNUM;
-#endif
 #if defined(INET) || defined(INET6)
 static unsigned jail_max_af_ips = 255;
 #endif
@@ -229,14 +219,13 @@ prison0_init(void)
 	strlcpy(prison0.pr_osrelease, osrelease, 
sizeof(prison0.pr_osrelease));
 }

-#ifdef COMPAT_FREEBSD11
 /*
  * struct jail_args {
  *     struct jail *jail;
  * };
  */
 int
-freebsd11_jail(struct thread *td, struct freebsd11_jail_args *uap)
+sys_jail(struct thread *td, struct jail_args *uap)
 {
        uint32_t version;
        int error;
@@ -281,16 +270,13 @@ freebsd11_jail(struct thread *td, struct 
freebsd11_jai
                /* Sci-Fi jails are not supported, sorry. */
                return (EINVAL);
        }
-       return (freebsd11_kern_jail(td, &j));
+       return (kern_jail(td, &j));
 }

 int
-freebsd11_kern_jail(struct thread *td, struct jail *j)
+kern_jail(struct thread *td, struct jail *j)
 {
-       struct iovec optiov[2 * (3
-#ifdef PR_GLOBAL_ALLOW
-                           + 1 + nitems(pr_flag_allow)
-#endif
+       struct iovec optiov[2 * (4 + nitems(pr_flag_allow)
 #ifdef INET
                            + 1
 #endif
@@ -300,10 +286,7 @@ freebsd11_kern_jail(struct thread *td, struct 
jail *j)
                            )];
        struct uio opt;
        char *u_path, *u_hostname, *u_name;
-#ifdef PR_GLOBAL_ALLOW
        struct bool_flags *bf;
-       int enforce_statfs;
-#endif
 #ifdef INET
        uint32_t ip4s;
        struct in_addr *u_ip4;
@@ -312,7 +295,7 @@ freebsd11_kern_jail(struct thread *td, struct jail 
*j)
        struct in6_addr *u_ip6;
 #endif
        size_t tmplen;
-       int error;
+       int error, enforce_statfs;

        bzero(&optiov, sizeof(optiov));
        opt.uio_iov = optiov;
@@ -323,7 +306,6 @@ freebsd11_kern_jail(struct thread *td, struct jail 
*j)
        opt.uio_rw = UIO_READ;
        opt.uio_td = td;

-#ifdef PR_GLOBAL_ALLOW
        /* Set permissions for top-level jails from sysctls. */
        if (!jailed(td->td_ucred)) {
                for (bf = pr_flag_allow;
@@ -345,7 +327,6 @@ freebsd11_kern_jail(struct thread *td, struct jail 
*j)
                optiov[opt.uio_iovcnt].iov_len = sizeof(enforce_statfs);
                opt.uio_iovcnt++;
        }
-#endif

        tmplen = MAXPATHLEN + MAXHOSTNAMELEN + MAXHOSTNAMELEN;
 #ifdef INET
@@ -449,7 +430,6 @@ freebsd11_kern_jail(struct thread *td, struct jail 
*j)
        free(u_path, M_TEMP);
        return (error);
 }
-#endif /* COMPAT_FREEBSD11 */


 /*
@@ -1267,11 +1247,7 @@ kern_jail_set(struct thread *td, struct uio 
*optuio, i

                pr->pr_securelevel = ppr->pr_securelevel;
                pr->pr_allow = JAIL_DEFAULT_ALLOW & ppr->pr_allow;
-#ifdef PR_GLOBAL_ALLOW
                pr->pr_enforce_statfs = jail_default_enforce_statfs;
-#else
-               pr->pr_enforce_statfs = JAIL_DEFAULT_ENFORCE_STATFS;
-#endif
                pr->pr_devfs_rsnum = ppr->pr_devfs_rsnum;

                pr->pr_osreldate = osreldt ? osreldt : ppr->pr_osreldate;
@@ -3439,7 +3415,6 @@ prison_path(struct prison *pr1, struct prison 
*pr2)
 static SYSCTL_NODE(_security, OID_AUTO, jail, CTLFLAG_RW, 0,
     "Jails");

-#ifdef COMPAT_FREEBSD11
 static int
 sysctl_jail_list(SYSCTL_HANDLER_ARGS)
 {
@@ -3543,7 +3518,6 @@ sysctl_jail_list(SYSCTL_HANDLER_ARGS)
 SYSCTL_OID(_security_jail, OID_AUTO, list,
     CTLTYPE_STRUCT | CTLFLAG_RD | CTLFLAG_MPSAFE, NULL, 0,
     sysctl_jail_list, "S", "List of active jails");
-#endif /* COMPAT_FREEBSD11 */

 static int
 sysctl_jail_jailed(SYSCTL_HANDLER_ARGS)
@@ -3583,14 +3557,13 @@ SYSCTL_PROC(_security_jail, OID_AUTO, vnet,
 #if defined(INET) || defined(INET6)
 SYSCTL_UINT(_security_jail, OID_AUTO, jail_max_af_ips, CTLFLAG_RW,
     &jail_max_af_ips, 0,
-    "Number of IP addresses a jail may have at most per address 
family");
+    "Number of IP addresses a jail may have at most per address 
family (deprecated)");
 #endif

 /*
- * Jail permissions - jailed processes can read these to find out 
what they are
- * allowed to do.  A deprecated use is to set default permissions for 
prisons
- * created via jail(2).  For historical reasons, the sysctl names 
have varying
- * similarity to the parameter names.
+ * Default parameters for jail(2) compatibility.  For historical 
reasons,
+ * the sysctl names have varying similarity to the parameter names.  
Prisons
+ * just see their own parameters, and can't change them.
  */
 static int
 sysctl_jail_default_allow(SYSCTL_HANDLER_ARGS)
@@ -3599,68 +3572,52 @@ sysctl_jail_default_allow(SYSCTL_HANDLER_ARGS)
        int allow, error, i;

        pr = req->td->td_ucred->cr_prison;
-#ifdef PR_GLOBAL_ALLOW
        allow = (pr == &prison0) ? jail_default_allow : pr->pr_allow;
-#else
-       allow = pr->pr_allow;
-#endif

        /* Get the current flag value, and convert it to a boolean. */
        i = (allow & arg2) ? 1 : 0;
        if (arg1 != NULL)
                i = !i;
        error = sysctl_handle_int(oidp, &i, 0, req);
-       if (error)
+       if (error || !req->newptr)
                return (error);
-#ifdef PR_GLOBAL_ALLOW
-       if (req->newptr) {
-               i = i ? arg2 : 0;
-               if (arg1 != NULL)
-                       i ^= arg2;
-               /*
-                * The sysctls don't have CTLFLAGS_PRISON, so assume prison0
-                * for writing.
-                */
-               mtx_lock(&prison0.pr_mtx);
-               jail_default_allow = (jail_default_allow & ~arg2) | i;
-               mtx_unlock(&prison0.pr_mtx);
-       }
-#endif
+       i = i ? arg2 : 0;
+       if (arg1 != NULL)
+               i ^= arg2;
+       /*
+        * The sysctls don't have CTLFLAGS_PRISON, so assume prison0
+        * for writing.
+        */
+       mtx_lock(&prison0.pr_mtx);
+       jail_default_allow = (jail_default_allow & ~arg2) | i;
+       mtx_unlock(&prison0.pr_mtx);
        return (0);
 }

-#ifdef PR_GLOBAL_ALLOW
-#define CTLFLAG_GLOBAL_ALLOW   (CTLFLAG_RW | CTLFLAG_MPSAFE)
-#define ADDR_GLOBAL_ALLOW(i)   &i
-#else
-#define CTLFLAG_GLOBAL_ALLOW   (CTLFLAG_RD | CTLFLAG_MPSAFE)
-#define ADDR_GLOBAL_ALLOW(i)   NULL
-#endif
-
 SYSCTL_PROC(_security_jail, OID_AUTO, set_hostname_allowed,
-    CTLTYPE_INT | CTLFLAG_GLOBAL_ALLOW,
+    CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
     NULL, PR_ALLOW_SET_HOSTNAME, sysctl_jail_default_allow, "I",
-    "Processes in jail can set their hostnames");
+    "Processes in jail can set their hostnames (deprecated)");
 SYSCTL_PROC(_security_jail, OID_AUTO, socket_unixiproute_only,
-    CTLTYPE_INT | CTLFLAG_GLOBAL_ALLOW,
+    CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
     (void *)1, PR_ALLOW_SOCKET_AF, sysctl_jail_default_allow, "I",
-    "Processes in jail are limited to creating UNIX/IP/route sockets 
only");
+    "Processes in jail are limited to creating UNIX/IP/route sockets 
only (deprecated)");
 SYSCTL_PROC(_security_jail, OID_AUTO, sysvipc_allowed,
-    CTLTYPE_INT | CTLFLAG_GLOBAL_ALLOW,
+    CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
     NULL, PR_ALLOW_SYSVIPC, sysctl_jail_default_allow, "I",
-    "Processes in jail can use System V IPC primitives");
+    "Processes in jail can use System V IPC primitives 
(deprecated)");
 SYSCTL_PROC(_security_jail, OID_AUTO, allow_raw_sockets,
-    CTLTYPE_INT | CTLFLAG_GLOBAL_ALLOW,
+    CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
     NULL, PR_ALLOW_RAW_SOCKETS, sysctl_jail_default_allow, "I",
-    "Prison root can create raw sockets");
+    "Prison root can create raw sockets (deprecated)");
 SYSCTL_PROC(_security_jail, OID_AUTO, chflags_allowed,
-    CTLTYPE_INT | CTLFLAG_GLOBAL_ALLOW,
+    CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
     NULL, PR_ALLOW_CHFLAGS, sysctl_jail_default_allow, "I",
-    "Processes in jail can alter system file flags");
+    "Processes in jail can alter system file flags (deprecated)");
 SYSCTL_PROC(_security_jail, OID_AUTO, mount_allowed,
-    CTLTYPE_INT | CTLFLAG_GLOBAL_ALLOW,
+    CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
     NULL, PR_ALLOW_MOUNT, sysctl_jail_default_allow, "I",
-    "Processes in jail can mount/unmount jail-friendly file 
systems");
+    "Processes in jail can mount/unmount jail-friendly file systems 
(deprecated)");

 static int
 sysctl_jail_default_level(SYSCTL_HANDLER_ARGS)
@@ -3669,33 +3626,25 @@ sysctl_jail_default_level(SYSCTL_HANDLER_ARGS)
        int level, error;

        pr = req->td->td_ucred->cr_prison;
-#ifdef PR_GLOBAL_ALLOW
 	level = (pr == &prison0) ? *(int *)arg1 : *(int *)((char *)pr + 
arg2);
-#else
-       level = *(int *)((char *)pr + arg2);
-#endif
        error = sysctl_handle_int(oidp, &level, 0, req);
-       if (error)
+       if (error || !req->newptr)
                return (error);
-#ifdef PR_GLOBAL_ALLOW
-       if (req->newptr)
-               *(int *)arg1 = level;
-#endif
+       *(int *)arg1 = level;
        return (0);
 }

 SYSCTL_PROC(_security_jail, OID_AUTO, enforce_statfs,
-    CTLTYPE_INT | CTLFLAG_GLOBAL_ALLOW,
-    ADDR_GLOBAL_ALLOW(jail_default_enforce_statfs),
-    offsetof(struct prison, pr_enforce_statfs),
+    CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
+    &jail_default_enforce_statfs, offsetof(struct prison, 
pr_enforce_statfs),
     sysctl_jail_default_level, "I",
-    "Processes in jail cannot see all mounted file systems");
+    "Processes in jail cannot see all mounted file systems 
(deprecated)");
+
 SYSCTL_PROC(_security_jail, OID_AUTO, devfs_ruleset,
-    CTLTYPE_INT | CTLFLAG_GLOBAL_ALLOW,
-    ADDR_GLOBAL_ALLOW(jail_default_devfs_rsnum),
-    offsetof(struct prison, pr_devfs_rsnum),
+    CTLTYPE_INT | CTLFLAG_RD | CTLFLAG_MPSAFE,
+    &jail_default_devfs_rsnum, offsetof(struct prison, 
pr_devfs_rsnum),
     sysctl_jail_default_level, "I",
-    "Ruleset for the devfs filesystem in jail");
+    "Ruleset for the devfs filesystem in jail (deprecated)");

 /*
  * Nodes to describe jail parameters.  Maximum length of string 
parameters
@@ -3836,6 +3785,9 @@ prison_add_allow(const char *prefix, const char 
*name,
        struct bool_flags *bf;
        struct sysctl_oid *parent;
        char *allow_name, *allow_noname, *allowed;
+#ifndef NO_SYSCTL_DESCR
+       char *descr_deprecated;
+#endif
        unsigned allow_flag;

        if (prefix
@@ -3892,7 +3844,10 @@ prison_add_allow(const char *prefix, const char 
*name,
        bf->flag = allow_flag;
        mtx_unlock(&prison0.pr_mtx);

-       /* Create sysctls for the paramter, and the current permission. */
+       /*
+        * Create sysctls for the paramter, and the back-compat global
+        * permission.
+        */
        parent = prefix
            ? SYSCTL_ADD_NODE(NULL,
                  SYSCTL_CHILDREN(&sysctl___security_jail_param_allow),
@@ -3904,10 +3859,17 @@ prison_add_allow(const char *prefix, const 
char *name,
        if ((prefix
             ? asprintf(&allowed, M_TEMP, "%s_%s_allowed", prefix, name)
             : asprintf(&allowed, M_TEMP, "%s_allowed", name)) >= 0) {
+#ifndef NO_SYSCTL_DESCR
+               (void)asprintf(&descr_deprecated, M_TEMP, "%s (deprecated)",
+                   descr);
+#endif
                (void)SYSCTL_ADD_PROC(NULL,
                    SYSCTL_CHILDREN(&sysctl___security_jail), OID_AUTO, allowed,
-                   CTLTYPE_INT | CTLFLAG_GLOBAL_ALLOW, NULL, allow_flag,
-                   sysctl_jail_default_allow, "I", descr);
+                   CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, NULL, allow_flag,
+                   sysctl_jail_default_allow, "I", descr_deprecated);
+#ifndef NO_SYSCTL_DESCR
+               free(descr_deprecated, M_TEMP);
+#endif
                free(allowed, M_TEMP);
        }
        return allow_flag;

Modified: head/sys/kern/syscalls.c
==============================================================================
--- head/sys/kern/syscalls.c    Thu Aug 16 18:58:34 2018        (r337924)
+++ head/sys/kern/syscalls.c    Thu Aug 16 19:09:43 2018        (r337925)
@@ -344,7 +344,7 @@ const char *syscallnames[] = {
        "utrace",                     /* 335 = utrace */
        "compat4.sendfile",           /* 336 = freebsd4 sendfile */
        "kldsym",                     /* 337 = kldsym */
-       "compat11.jail",              /* 338 = freebsd11 jail */
+       "jail",                       /* 338 = jail */
        "nnpfs_syscall",                      /* 339 = nnpfs_syscall */
        "sigprocmask",                        /* 340 = sigprocmask */
        "sigsuspend",                 /* 341 = sigsuspend */

Modified: head/sys/kern/syscalls.master
==============================================================================
--- head/sys/kern/syscalls.master       Thu Aug 16 18:58:34 2018        
(r337924)
+++ head/sys/kern/syscalls.master       Thu Aug 16 19:09:43 2018        
(r337925)
@@ -738,7 +738,7 @@
                                    _Out_opt_ off_t *sbytes, int flags); }
 337    AUE_NULL        STD     { int kldsym(int fileid, int cmd, \
                                    _In_ void *data); }
-338    AUE_JAIL        COMPAT11 { int jail( \
+338    AUE_JAIL        STD     { int jail( \
                                    _In_ struct jail *jail); }

 339    AUE_NULL        NOSTD|NOTSTATIC { int nnpfs_syscall(int operation, \

Modified: head/sys/kern/systrace_args.c
==============================================================================
--- head/sys/kern/systrace_args.c       Thu Aug 16 18:58:34 2018        
(r337924)
+++ head/sys/kern/systrace_args.c       Thu Aug 16 19:09:43 2018        
(r337925)
@@ -1593,6 +1593,13 @@ systrace_args(int sysnum, void *params, 
uint64_t *uarg
                *n_args = 3;
                break;
        }
+       /* jail */
+       case 338: {
+               struct jail_args *p = params;
+               uarg[0] = (intptr_t) p->jail; /* struct jail * */
+               *n_args = 1;
+               break;
+       }
        /* nnpfs_syscall */
        case 339: {
                struct nnpfs_syscall_args *p = params;
@@ -5765,6 +5772,16 @@ systrace_entry_setargdesc(int sysnum, int ndx, 
char *d
                        break;
                };
                break;
+       /* jail */
+       case 338:
+               switch(ndx) {
+               case 0:
+                       p = "userland struct jail *";
+                       break;
+               default:
+                       break;
+               };
+               break;
        /* nnpfs_syscall */
        case 339:
                switch(ndx) {
@@ -9627,6 +9644,11 @@ systrace_return_setargdesc(int sysnum, int ndx, 
char *
                break;
        /* kldsym */
        case 337:
+               if (ndx == 0 || ndx == 1)
+                       p = "int";
+               break;
+       /* jail */
+       case 338:
                if (ndx == 0 || ndx == 1)
                        p = "int";
                break;

Modified: head/sys/sys/jail.h
==============================================================================
--- head/sys/sys/jail.h Thu Aug 16 18:58:34 2018        (r337924)
+++ head/sys/sys/jail.h Thu Aug 16 19:09:43 2018        (r337925)
@@ -32,7 +32,6 @@
 #ifndef _SYS_JAIL_H_
 #define _SYS_JAIL_H_

-#ifdef COMPAT_FREEBSD11
 #ifdef _KERNEL
 struct jail_v0 {
        u_int32_t       version;
@@ -58,6 +57,16 @@ struct jail {
  * For all xprison structs, always keep the pr_version an int and
  * the first variable so userspace can easily distinguish them.
  */
+#ifndef _KERNEL
+struct xprison_v1 {
+       int              pr_version;
+       int              pr_id;
+       char             pr_path[MAXPATHLEN];
+       char             pr_host[MAXHOSTNAMELEN];
+       u_int32_t        pr_ip;
+};
+#endif
+
 struct xprison {
        int              pr_version;
        int              pr_id;
@@ -82,7 +91,6 @@ struct xprison {
 #define        PRISON_STATE_INVALID    0
 #define        PRISON_STATE_ALIVE      1
 #define        PRISON_STATE_DYING      2
-#endif /* COMPAT_FREEBSD11 */

 /*
  * Flags for jail_set and jail_get.
@@ -102,6 +110,7 @@ struct xprison {

 struct iovec;

+int jail(struct jail *);
 int jail_set(struct iovec *, unsigned int, int);
 int jail_get(struct iovec *, unsigned int, int);
 int jail_attach(int);

Modified: head/sys/sys/syscall.h
==============================================================================
--- head/sys/sys/syscall.h      Thu Aug 16 18:58:34 2018        (r337924)
+++ head/sys/sys/syscall.h      Thu Aug 16 19:09:43 2018        (r337925)
@@ -280,7 +280,7 @@
 #define        SYS_utrace      335
                                /* 336 is freebsd4 sendfile */
 #define        SYS_kldsym      337
-#define        SYS_freebsd11_jail      338
+#define        SYS_jail        338
 #define        SYS_nnpfs_syscall       339
 #define        SYS_sigprocmask 340
 #define        SYS_sigsuspend  341

Modified: head/sys/sys/syscall.mk
==============================================================================
--- head/sys/sys/syscall.mk     Thu Aug 16 18:58:34 2018        (r337924)
+++ head/sys/sys/syscall.mk     Thu Aug 16 19:09:43 2018        (r337925)
@@ -209,7 +209,7 @@ MIASM =  \
        sched_rr_get_interval.o \
        utrace.o \
        kldsym.o \
-       freebsd11_jail.o \
+       jail.o \
        nnpfs_syscall.o \
        sigprocmask.o \
        sigsuspend.o \

Modified: head/sys/sys/syscallsubr.h
==============================================================================
--- head/sys/sys/syscallsubr.h  Thu Aug 16 18:58:34 2018        (r337924)
+++ head/sys/sys/syscallsubr.h  Thu Aug 16 19:09:43 2018        (r337925)
@@ -143,6 +143,7 @@ int	kern_getsockname(struct thread *td, int fd, 
struct
 int    kern_getsockopt(struct thread *td, int s, int level, int name,
            void *optval, enum uio_seg valseg, socklen_t *valsize);
 int    kern_ioctl(struct thread *td, int fd, u_long com, caddr_t data);
+int    kern_jail(struct thread *td, struct jail *j);
 int    kern_jail_get(struct thread *td, struct uio *options, int flags);
 int    kern_jail_set(struct thread *td, struct uio *options, int flags);
 int    kern_kevent(struct thread *td, int fd, int nchanges, int nevents,
@@ -307,6 +308,5 @@ struct freebsd11_dirent;

 int	freebsd11_kern_getdirentries(struct thread *td, int fd, char 
*ubuf, u_int
            count, long *basep, void (*func)(struct freebsd11_dirent *));
-int    freebsd11_kern_jail(struct thread *td, struct jail *j);

 #endif /* !_SYS_SYSCALLSUBR_H_ */

Modified: head/sys/sys/sysproto.h
==============================================================================
--- head/sys/sys/sysproto.h     Thu Aug 16 18:58:34 2018        (r337924)
+++ head/sys/sys/sysproto.h     Thu Aug 16 19:09:43 2018        (r337925)
@@ -849,6 +849,9 @@ struct kldsym_args {
        char cmd_l_[PADL_(int)]; int cmd; char cmd_r_[PADR_(int)];
 	char data_l_[PADL_(void *)]; void * data; char data_r_[PADR_(void 
*)];
 };
+struct jail_args {
+	char jail_l_[PADL_(struct jail *)]; struct jail * jail; char 
jail_r_[PADR_(struct jail *)];
+};
 struct nnpfs_syscall_args {
 	char operation_l_[PADL_(int)]; int operation; char 
operation_r_[PADR_(int)];
 	char a_pathP_l_[PADL_(char *)]; char * a_pathP; char 
a_pathP_r_[PADR_(char *)];
@@ -1958,6 +1961,7 @@ int	sys_sched_get_priority_min(struct thread *, 
struct
 int	sys_sched_rr_get_interval(struct thread *, struct 
sched_rr_get_interval_args *);
 int    sys_utrace(struct thread *, struct utrace_args *);
 int    sys_kldsym(struct thread *, struct kldsym_args *);
+int    sys_jail(struct thread *, struct jail_args *);
 int    sys_nnpfs_syscall(struct thread *, struct nnpfs_syscall_args *);
 int    sys_sigprocmask(struct thread *, struct sigprocmask_args *);
 int    sys_sigsuspend(struct thread *, struct sigsuspend_args *);
@@ -2527,9 +2531,6 @@ struct freebsd11_fhstat_args {
 	char u_fhp_l_[PADL_(const struct fhandle *)]; const struct fhandle * 
u_fhp; char u_fhp_r_[PADR_(const struct fhandle *)];
 	char sb_l_[PADL_(struct freebsd11_stat *)]; struct freebsd11_stat * 
sb; char sb_r_[PADR_(struct freebsd11_stat *)];
 };
-struct freebsd11_jail_args {
-	char jail_l_[PADL_(struct jail *)]; struct jail * jail; char 
jail_r_[PADR_(struct jail *)];
-};
 struct freebsd11_kevent_args {
        char fd_l_[PADL_(int)]; int fd; char fd_r_[PADR_(int)];
 	char changelist_l_[PADL_(struct kevent_freebsd11 *)]; struct 
kevent_freebsd11 * changelist; char changelist_r_[PADR_(struct 
kevent_freebsd11 *)];
@@ -2578,7 +2579,6 @@ int	freebsd11_nstat(struct thread *, struct 
freebsd11_
 int	freebsd11_nfstat(struct thread *, struct freebsd11_nfstat_args 
*);
 int	freebsd11_nlstat(struct thread *, struct freebsd11_nlstat_args 
*);
 int	freebsd11_fhstat(struct thread *, struct freebsd11_fhstat_args 
*);
-int    freebsd11_jail(struct thread *, struct freebsd11_jail_args *);
 int	freebsd11_kevent(struct thread *, struct freebsd11_kevent_args 
*);
 int	freebsd11_getfsstat(struct thread *, struct 
freebsd11_getfsstat_args *);
 int	freebsd11_statfs(struct thread *, struct freebsd11_statfs_args 
*);
@@ -2849,7 +2849,7 @@ int	freebsd11_mknodat(struct thread *, struct 
freebsd1
 #define        SYS_AUE_utrace  AUE_NULL
 #define        SYS_AUE_freebsd4_sendfile       AUE_SENDFILE
 #define        SYS_AUE_kldsym  AUE_NULL
-#define        SYS_AUE_freebsd11_jail  AUE_JAIL
+#define        SYS_AUE_jail    AUE_JAIL
 #define        SYS_AUE_nnpfs_syscall   AUE_NULL
 #define        SYS_AUE_sigprocmask     AUE_SIGPROCMASK
 #define        SYS_AUE_sigsuspend      AUE_SIGSUSPEND


_______________________________________________
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"